Multiple rules in a mapping is not working with type: "local" attribute
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
We have a requirement in which we want to setup an external Identity provider with keystone federation for SSO.
I have added two rules in a mapping which will match to below criteria and added this mapping to OS_FEDERATION identity provider.
Rule 1. If user already exists in keystone, it should not create a new ephemeral user.
Rule 2. If user is not found in keystone, it should create a new user in SSO federated domain.
Problem:
If user is not present already, it should match second rule and new user should be created. But its throwing Unauthorized Error.
I think, with type:"local" specified, it will throw Unauthorized error even if there are multiple rules for a given mapping.
With multiple rules specified, it should try to match the a rule in an order which is not working as expected
Have attached mapping object for reference.
Changed in keystone: | |
status: | Invalid → New |
Changed in keystone: | |
status: | New → Invalid |
Unfortunately the "local" type within the "local" section is not a matching rule. Only the keys in the "remote" section are matched, then they are mapped to attributes in the "local" section. If the user doesn't exist already in keystone, but still matches the remote rule '"type": "HTTP_GROUPS" ,"any_one_ of": [ "consumers" ]', it will be mapped to the first case, and then expect there to already be a local user. The matching can only be done based on remote attributes, not on local attributes.